October 15, 2014

The German operation Eikonal as part of NSA's RAMPART-A program

(Updated: May 30, 2015)

Just over a week ago, the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR came with a story saying that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA. As not all communications of German citizens could be filtered out, this is considered a violation of the constitution.

Here we will give a summary of what is currently known about this BND operation and we will combine this with information from earlier reports. This will show that it was most likely part of the RAMPART-A program of the NSA, which includes similar interception efforts by foreign partner agencies. Finally, we will look at where exactly the BND interception might have taken place.

> See also: New details about the joint NSA-BND operation Eikonal

Update #1:
On October 20, the Danish paper Information has confirmed that the German BND operation Eikonal was indeed part of the RAMPART-A program: a document from NSA's SSO division lists an operation codenamed "EIKANOL" as part of RAMPART-A and says it was decommissioned in June 2008. Unfortunately the original document wasn't published.

Update #2:
During hearings of BND officials by the German parliamentary committee investigating NSA spying, it became clear that operation Eikonal was actually tapping into just one fiber-optic cable from Deutsche Telekom, and not into the Frankfurt internet exchange DE-CIX. This was confirmed by German media on December 4, 2014.

The German operation Eikonal

The codename for the BND operation was Eikonal, which is a scientific German word, derived from Greek, meaning likeness, icon or image. Details about it were found in BND documents marked Streng Geheim (Top Secret), which were handed over to a committee of the German parliament that investigates NSA spying activities (NSA Untersuchungsausschuss). It's not clear whether journalists were able to read these documents themselves, or were just told about their contents.

The operation was set up in 2003 as a cooperation between BND and NSA, whith the BND providing access to the Frankfurt internet exchange DE-CIX, and NSA providing sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

For this, NSA provided BND with lists of 'selectors' like phone numbers and e-mail addresses. According to the testimony of an BND employee at a committee hearing last month, his co-workers pulled these selectors from an American server 2, 3 or 4 times a day and entered them into the system that does the actual interception.

The article in Süddeutsche Zeitung says that from DE-CIX, the data first went to BND headquarters in Pullach, and then to the Mangfall barracks in Bad Aibling, where BND and NSA analysts secretly worked together as the Joint SIGINT Activity (JSA, terminated in 2012). From there, there was a secure line back to NSA headquarters.

Operations center room in the former BND headquarters in Pullach
(click to enlarge)

To prevent communications of German citizens being passed on to NSA, BND installed a special program (codenamed DAFIS) to filter these out. But according to the documents, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out.

A review of operation Eikonal reported that a "complete and accurate" separation between German and foreign telecommunications was impossible. Also BND wasn't able to fully check this because of a lack of technical expertise.

The documents also suggest that the intelligence oversight committees of the Bundestag were not properly informed. The BND noticed at some point that the NSA searched for information about the European defence contractor EADS (now Airbus Group), the Eurocopter and French government agencies. Together with doubts about the legality of the Eikonal operation, this resulted in ending the cooperation with NSA in 2008.

Reportedly, NSA wasn't happy with that and sent its deputy director John Inglis to Berlin in order to demand some kind of "compensation": if not Frankfurt, then BND should offer access to another European fiber-optic cable. Süddeutsche Zeitung says that at that time, BND got access to a cable of "global importance", where NSA did not have access to. NSA then became a "silent partner" receiving data from this new BND interception effort.

Meanwhile, two members of the German parliamentary investigation committee, who are cleared for the BND documents about Eikonal, said that the aforementioned press reports were not always correct. According to one member, it actually wasn't BND, but NSA that ended the cooperation, apparently because the Germans were so heavily filtering the data, that the outcome wasn't of much interest for NSA anymore.


The RAMPART-A program of NSA

Those who have followed the Snowden-leaks, may have recognized that operation Eikonal is identical to cable tapping operations which are conducted under the RAMPART-A program of NSA. According to some of the Snowden-documents, this is an umbrella program under which NSA cooperates with 3rd Party countries, who "provide access to cables and host U.S. equipment".

The slide below clearly shows that such a partner country taps an international cable at an access point (A) somewhere in that country and then forwards the data to a processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C) before they are forwarded to an NSA site in the US (D):

Details about NSA's RAMPART-A program were published by the Danish newspaper Information in collaboration with Greenwald's website The Intercept on June 19, 2014. The program reportedly involved five countries, and cooperation two others was being tested. In total, all RAMPART-A interception facilities gave access to 3 terabits of data every second.

The disclosed documents list 13 RAMPART-A sites, nine of which were active in 2013. The three largest are codenamed SPINNERET, MOONLIGHTPATH and AZUREPHOENIX, which by the number of records are NSA's second, third and fifth most productive cable tapping programs - which shows the importance of these 3rd Party relationships for NSA.

Eikonal (which most likely had a different NSA codename seems to be misspelled EIKANOL in the NSA document seen by Information) isn't included in these documents as they date from at least two years after this operation was ended.

The exact locations of these access points are protected under the Exceptionally Controlled Information (ECI) compartment REDHARVEST (RDV), to which Snowden seems to have had no access. Therefore we don't know which countries are participating in the RAMPART-A program, although some of the documents contain leads pointing to Denmark and Germany.

These foreign partnerships operate on the condition that the host country will not use the NSA’s technology to collect any data on US citizens. The NSA agrees that it will not use the access it has been granted to collect data on the host countries’ citizens, but one NSA presentation slide (marked NOFORN: Not for Foreign Nationals) notes that "there ARE exceptions" to this rule:

According to a 2010 briefing, intelligence collected via RAMPART-A yielded over 9000 intelligence reports the previous year, out of which half was based solely on intelligence intercepted through RAMPART-A.

More about RAMPART-A

What the reports on both websites didn't mention is that RAMPART-A is apparently focussed on collecting information about Russia, the Middle East and North Africa. This comes from Der NSA Komplex, a book about the Snowden-revelations written by two journalists from Der Spiegel. Unfortunately this book, which is much more informative than the one by Glenn Greenwald, is only available in German.

Besides 3rd Party partners giving access to cables in their own country, there's also a construction in which such a partner agency cooperates with yet another country that secretly provides access to data traffic, which is also shared with NSA. In recent years, BND and NSA conducted about half a dozen of such operations, three of which are mentioned in Der NSA Komplex:

- Tiamat (access to high-level international targets under risky circumstances. This operation had ended before 2013)*

- Hermos (in the Spring of 2012, BND got access to communication cables in a crisis zone country, but this operation had to be terminated by the end of the year when the situation almost went out of control)*

- Wharpdrive (this operation was still active in 2013, but in the Spring of that year, employees of the private company that operates the communication cables, accidently discovered the clandestine BND/NSA equipment, but the operation was rescued by providing a plausible cover story)*

In the follow-up report by the Danish paper Information from October 20, 2014, it is said that the WHARPDRIVE access was opened in February 2013 and had the same size as EIKANOL. Information claims that according to Der Spiegel this access was also located in Germany, but Der NSA Komplex says it was a joint venture with a third country and in an NSA document from April 2013 it is also called a "trilateral program", which was "identified for possible termination due to fiscal constraints". From this document it seems the program had EMERALD as an alternate codename.


Where did the tapping took place?

The best kept secret is the actual location where the BND tapping point was. Süddeutsche Zeitung reports that in the original documents the name of the provider is blacked out, but that according to insiders, it must have been Deutsche Telekom that assisted BND. The paper even says both parties signed an agreement in which the provider earned a payment of 6.000,- euros a month in return for the access.

This seems to correspond with a report broadcasted by the German television magazine Frontal 21 in July last year, saying that BND had access to the Frankfurt internet exchange through its own cable since 2009. According to an insider, this cable access was under the cover of a major German telecom provider, and it was speculated this was Deutsche Telekom.

But as some people noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place. In 2008, the actual routers and switches of DE-CIX were situated in 18 data centers from InterXion, TeleCity, Equinix, Level 3, ITENOS and e-shelter. Since 2008, the distributed DE-CIX switches are interconnected through the priva|nex private fiber-optic network from euNetworks.

Diagram of the Frankfurt internet exchange point DE-CIX

Maybe before 2008 the DE-CIX switches were connected by fiber cables from Deutsche Telekom, but if not, there seems to be no way this company could have provided the BND access to the Frankfurt internet exchange. If the 6000,- euro contract really involved Deutsche Telekom, then maybe for the rent of a private cable from the tapping point to a BND site.

In response to earlier media reports, the DE-CIX management put out a press release on June 26, 2014 saying: We exclude that any foreign or domestic secret service had access to our internet exchange and the connected fiber-optic networks during the period of 2004 - 2007". It was added that DE-CIX itself doesn't operate any data centers, nor stores or processes data on its own.

This statement only speaks about the past, so it doesn't contradict the fact that the BND was recently authorized to intercept the communications from 25 internet service providers (ISPs), with their cables being tapped at the DE-CIX internet exchange, as was reported by Der Spiegel on October 6, 2013. A letter containing this authorisation was sent to the Association of the German Internet Industry, which is the owner of the company that operates the Frankfurt internet exchange.

Among these 25 providers there are foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

However, Strato AG said they would never agree with such a wiretapping order and 1&1 declared they never received a letter from BND and suggests that if there's any interception this may take place in cooperation with DE-CIX Management GmbH, the organisation that operates the Frankfurt internet exchange.

This would mean that currently BND isn't tapping the whole internet exchange, but only the cables from selected providers, which is of course much more efficient. Tapping the whole exchange would probably also exceed BND's technical capabilities, as nowadays DE-CIX connects some 550 ISPs from more than 55 countries (including North Korea), including broadband providers, content delivery networks, web hosters, and incumbent operators.

If that's the case, then the actual interception could take place at DE-CIX systems, maybe at the core fiber network or the core switch. This means, BND only needs the cooperation of the DE-CIX management and the indivual providers can honestly deny that their cables are being intercepted.

According to Der Spiegel, the BND copies the data stream and then searches it using keywords related to terrorism and weapon proliferation. A BND spokesman assured the Wall Street Journal in October last year that purely domestic German traffic is neither gathered nor stored.

Simplified structure of the Internet, showing how Tier 1, Tier 2 and Tier 3 providers
transit data traffic in a hierarchial way and how Tier 2 providers exchange
traffic directly through peering at an Internet eXchange Point (IXP)
(diagram: Wikimedia Commons - click to enlarge)

In august last year, a spokesman from the DE-CIX management said that he couldn't rule out that some providers connected to the exchange would allow interception on their equipment when ordered so by their national governments.

This points to for example Level 3, a US company that has a data center which houses some DE-CIX routers. But if Level 3 would have provided access to DE-CIX, then there was no need for NSA to cooperate with BND. Also, on August 1, 2013, Level 3 gave out a press release saying that the company had not given any foreign government access to its networks in Germany in order to conduct surveillance.

On March 26, 2015, the German parliamentary investigation commission heard Klaus Landefeld, board member of DE-CIX, who provided some interesting insights in the workings of this internet exchange.


Although we have no positive confirmation that Eikonal was part of the RAMPART-A program, this German operation perfectly fits the way in which foreign parters of NSA get access to important internet cables and switches and share the results with their American counterparts. In this case, NSA apparently cooperated with BND in order to get access to communications from Russia and probably also from the Middle East and North Africa that traveled through Germany.

The best kept secret is how and where such interception takes place, and we have seen that tapping the Frankfurt internet exchange DE-CIX is far more complex than it seems. This makes it difficult to pinpoint the taps, but by combining earlier press reports with the structure of the DE-CIX exchange, it seems unlikely that Deutsche Telekom was involved.

Update #1:
Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the parliamentary investigation committee has decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange or not. As an alternative option it's suggested that Deutsche Telekom might have just given access to its own Frankfurt backbone switch, instead of to DE-CIX - this would better fit NSA's description of what is intercepted under RAMPART-A: "International Gateway Switches; End-Point GSM Switches; Leased Internet Circuits; Internet Backbone Routers".

Update #2:
During hearings of BND officials by the German parliamentary committee investigating NSA spying, it became clear that operation Eikonal was indeed tapping into just one fiber-optic cable from Deutsche Telekom, and not into the Frankfurt internet exchange DE-CIX. This was confirmed by German media on December 4, 2014.

> See also: New details about the joint NSA-BND operation Eikonal

Links and Sources
- Sueddeutsche.de: Codewort Eikonal - der Albtraum der Bundesregierung (2014)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA (2013)
- Heise.de: NSA-Abhörskandal PRISM: Internet-Austauschknoten als Abhörziele (2013)
- Spiegel.de: BND lässt sich Abhören von Verbindungen deutscher Provider genehmigen (2013)
- NSA presentation: RAMPART-A Project Overview (pdf) (2010)
- About the structure of the internet: Die Bosse der Fasern (2005)

- More comments on Hacker News

No comments:

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties